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Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the application: 

TJsting of Claims: 

1. (original): A method of detecting critical file changes, comprising: 
reading events representing various types of system calls; 

routing the event to an appropriate template, the event having multiple parameters; 
filtering the event as either a possible intrusion based on the multiple parameters and 
either dropping the event or outputting the event; and 

creating an intrusion alert if an event is output from said filtering step. 

2. (original): The method of claim 1, wherein said filtering step outputs an event if the 
parameters indicate that the permission bits on a file or directory were changed. 

3. (original): The method of claim 1, wherein said filtering step outputs an event if the 
parameters indicate that a file was opened for truncation. 

4. (original): The method of claim 1, wherein said filtering step outputs an event if the 
parameters indicate that ownership or group ownership of a file has been changed. 

5. (original): The method of claim 1, comprising a create step which outputs an alert 
message if a file was renamed including a file that was renamed and a new name that the file was 
renamed to. 
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6. (original): The method of claim 1, comprising configuring templates based on a list of 
files and directories to be included or excluded based on whether the files and directories are 
considered unmodifiable. 

7. (original): A method of detecting critical file changes, comprising: 
reading events including encoded information representing system calls; 
routing the event to an appropriate template based on the encoded information; 
filtering the event as either a possible intrusion based on the encoded information and 

either dropping the event or outputting the event; and 

creating an intrusion alert of an event is output from said filtering step. 

8. (original): The method of claim 7, wherein said filtering step outputs an event if the 
encoded information indicates that the permission bits on a file or directory were changed. 

9. (original): The method of claim 7, wherein said filtering step outputs an event if the 
encoded information indicates that a file was opened for truncation. 

10. (original): The method of claim 7, wherein said filtering step outputs an event of the 
encoded information indicates that ownership or group ownership of a file has been changed. 

11. (original): The method of claim 7, comprising a create step which outputs an alert 
message if a file was renamed including a file that was renamed and a new name that the file was 
renamed to. 
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12. (original): The method of claim 7, comprising configuring templates based a list of 
files and directories to be included or excluded based on whether the files and directories are 
considered unmodifiable. 

13. (New) A computer-readable medium storing instructions which, when executed 
by a processor, cause the processor to implement the method steps of claim 1. 

14. (New) A system for detecting critical file changes, comprising: 
a processor; and 

a memory storing instructions which, when executed by the processor, cause the 
processor to route events to an appropriate template, wherein the event includes one or more 
parameters, filter the event as either a possible intrusion based on one of the one or more 
parameters and either dropping the event or outputting the event, and create an intrusion alert if 
an event is output from the filter. 

15. (New) The system of claim 14, wherein the instructions causing the processor to 
filter the event include instructions causing the processor to output an event if the one or more 
parameters indicate that the permission bits on a file or directory were changed. 

16. (New) The system of claim 14, wherein the instructions causing the processor to 
filter the event include instructions causing the processor to output an event if the one or more 
parameters indicate that a file was opened for truncation. 

17. (New) The system of claim 14, wherein the instructions causing the processor to 
filter the event include instructions causing the processor to output an event if the one or more 
parameters indicate that ownership or group ownership of a file has been changed. 

18. (New) The system of claim 14, wherein the instructions comprise instructions 
causing the processor to output an alert message if a file was renamed including a file that was 
renamed and a new name that the file was renamed to. 
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19. (New) The system of claim 14, wherein the instructions comprise instructions 
causing the processor to configure templates based on a list of files and directories to be included 
or excluded based on whether the files and directories are considered unmodifiable. 


